access to personal information of passengers and owners? this uber logic loophole "combo" is worth seeing

Posted by barello at 2020-04-15

Uber recently finally opened its vulnerability reward program and encouraged white hat gate to exploit the vulnerability of Uber's online services. Please take a look at the "combination fist" formed by these logic loopholes with freebuf.

information gathering

First, we look at the target of Uber's authorized testing. It can be found that the scope of detection is still very wide, basically including all the online services of Uber company.

iPhone Rider Application

iPhone Partner Application

Android Rider Application

Android Partner Application

First of all, I did a violent enumeration of Uber's main domain name. This step is mainly to collect all secondary domain information under Uber's domain name. After scanning several open secondary domain names, I used nmap to scan the list of all secondary domain names, mainly to view the page title and content of these secondary domain names.

After analyzing the app, I found that the Uber map terminal is implemented by jd-gui, and then I used mobsf to do a security monitoring for Uber's app.

The information collected above is enough for us to do a routine safety monitoring.

Vulnerability mining

Enumerate price codes

Everyone who uses Uber knows that Uber runs users to input coupons to mortgage part of the fare. After checking, I found that there is a payment interface on this page. In the payment interface, there is another API interface for coupon code. In the actual test process, I found that Uber did not take some anti enumeration measures for this API interface, so that hackers can enumerate coupon codes indefinitely.

In the actual enumeration process, we found that the following three return packet lengths represent different meanings

If the data length is 1951, the coupon is valid

If the data length is 1931, the coupon does not exist

If the data length is 1921, the coupon has expired

And Uber company allows users to customize their own discount codes. Every custom discount code will have a Uber at the beginning, so that hackers can name more than 1000 coupon codes.

In addition to the enumeration of coupon codes, we also found that the Erh coupon codes previously launched by Uber company can be added repeatedly. The coupon code is $100, which has been used by other people. But in the process of enumeration, we found that no matter whether the code has been used or not, it can be used as long as you enumerate it.

Then we contacted Uber to submit the vulnerability to them.

23 March 2016 – vulnerability reported to Uber

March 23, 2016 – Uber begins to review vulnerabilities

March 24, 2016 – we updated the vulnerability details

March 24, 2016 – Uber continues to review vulnerabilities

April 19, 2016 – Uber has fixed the vulnerability

May 2, 2016 – Uber pays the bounty

Use UUID to view user registration mailbox

In the picture below, we can see that this is a help function on Uber app. But to be honest, most of us never use it, even if we know it's always there. But we don't have to mean that a few people won't use it.

If you use this thing to send some help requests to Uber company, it will reply to you, "we have received your request, and we will contact you through your registered email as soon as possible."

After analyzing the packet of this request, we found that there are two parameters that determine whether we can view other people's mailbox. These two parameters are x-uber-uuid and UUID respectively. By fuzzing the token parameter and changing the UUID to someone else's, you can receive someone else's email number.

You may have questions about how we got this UUID? UUID is so long, it's hard to enumerate. Let's explain this later.

31 March 2016 – vulnerability reported to Uber

March 31, 2016 – Uber begins to review vulnerabilities

April 11, 2016 – Uber starts fixing bugs

13 April 2016 – Uber to pay the bounty

Enumerate user IDs and phone numbers

We have been trying to find the loopholes of Uber company, but these loopholes are often difficult to find and exploit. So we decided to use app and web to call Uber once respectively. In the process of using, we intercepted all the requests and found some interesting things.

When a Uber user tries to share the taxi fare equally, Uber's app will read the user's address book and distinguish who has registered for Uber, and the returned data package contains too much information, such as the UUID of the Uber driver, the UUID of the user, etc. We can enumerate the phone numbers in the requested packet, and then get a large number of UUIDs. This is how we get UUID!

Unfortunately, when we submitted the vulnerability, Uber said that the vulnerability submission was repeated. Someone submitted this vulnerability before us.

6 April 2016 – vulnerability reported to Uber

April 7, 2016 – Uber needs more information about this vulnerability

April 7, 2016 – we updated the vulnerability information

April 7, 2016 - duplicate vulnerability submission, reported

Use Uber driver app without activation

Each Uber account can apply to become a Uber driver, but the driver license information needs to be provided and approved by Uber official. But we found a way to bypass this audit. If your Uber driver account fails to pass the official verification of Uber, you cannot use Uber driver app.

Here is a parameter that is allownotactivated. If your account is not activated, the value of the parameter is false.

Then we tried to change the false in allow not activated to true, but we didn't expect to get the access permission of Uber driver app successfully. However, the driver's account we tested at this time has not been officially audited by Uber.

You can see the app interface of Uber driver we successfully visited.

But when we submit the vulnerability here, we have been notified by Uber to submit it repeatedly.

31 March 2016 – vulnerability reported to Uber official

March 31, 2016 – Uber asks for more details of the vulnerability

March 31, 2016 – we supplement the vulnerability details

April 7, 2016 – Uber defined the vulnerability as a duplicate submission, which has already been submitted.

View Uber driver's historical journey through UUID

Uber app has a new function called waybill. However, we found that the data packet sent through this service combined with the UUID of the Uber driver, we can know the last trip information of the driver.

But how do we get the UUID of Uber drivers? It's very simple. You call Uber service first. After the driver receives the order, you cancel the order and grab the package in the process of canceling the order. In the captured packet, there is the UUID of Uber driver. Not only that, the returned data package also contains the last trip information of the Uber driver, such as where to start receiving the order, the name of the passenger in the car, the number of passengers and the place where the passenger wants to go. These are all in this packet.

Then fill in the waybill, and you can see the driver's license plate number, car model, driver's name, driving route and other information.

March 31, 2016 – reporting vulnerabilities to Uber

April 1, 2016 – Uber begins to review vulnerabilities

April 13, 2016 – Uber begins to fix bugs

April 18, 2016 – Uber pays the bounty

Beyond authority to view other people's itinerary information

Do you remember the third loophole? We get their registered email address by forging someone's UUID.

The following screenshot of the packet is the request packet for users to view their own itinerary. Please pay attention to the information in the red box of this data package. Do you have a very familiar feeling? Yes, that's UUID.

When we replace this UUID with another person's UUID, the returned packet contains other person's travel information.

March 31, 2016 – report vulnerability to Uber

March 31, 2016 – Uber begins to review vulnerabilities

April 5, 2016 – Uber starts fixing bugs

13 April 2016 – Uber grants